List external applications with highly privileged permissions
External Application High Priv Permissions
Query
OAuthAppInfo
| where AppOrigin == "External"
| where PrivilegeLevel == "High"
| summarize arg_max(Timestamp, *) by OAuthAppId
| extend PublisherName = tostring(VerifiedPublisher.displayName), DateAdded = todatetime(VerifiedPublisher.addedDateTime)
| project AppName, OAuthAppId, ServicePrincipalId, AddedOnTime, PublisherName, AppOwnerTenantIdAbout this query
List external applications with highly privileged permissions
Query Information
Description
The query below lists the external applications with highly privileged permissions. It is highly recommended to periodicly review the high priviliged external applications.
Risk
A third party application can be abused to steal information from your organization.
Defender XDR
Sentinel
OAuthAppInfo
| where AppOrigin == "External"
| where PrivilegeLevel == "High"
| summarize arg_max(TimeGenerated, *) by OAuthAppId
| extend PublisherName = tostring(VerifiedPublisher.displayName), DateAdded = todatetime(VerifiedPublisher.addedDateTime)
| project AppName, OAuthAppId, ServicePrincipalId, AddedOnTime, PublisherName, AppOwnerTenantId
Explanation
The provided KQL queries are designed to identify and list external applications that have been granted high-level permissions within an organization's environment. These applications are considered high-risk because they have significant access privileges, which could potentially be exploited by third parties to access or steal sensitive information from the organization.
Here's a simplified breakdown of what each part of the query does:
-
Data Source: The queries pull data from a table called
OAuthAppInfo, which contains information about OAuth applications. -
Filter Criteria:
- The queries filter for applications where
AppOriginis "External", meaning the applications are not developed internally by the organization. - They further filter for applications with a
PrivilegeLevelof "High", indicating these applications have significant access rights.
- The queries filter for applications where
-
Data Aggregation:
- The
summarize arg_max()function is used to group the data byOAuthAppId, ensuring that only the most recent entry for each application is considered based on the timestamp (Timestampin Defender XDR andTimeGeneratedin Sentinel).
- The
-
Data Transformation:
- The
extendfunction is used to add additional information about the application's publisher, such as the publisher's name and the date the publisher was verified.
- The
-
Data Projection:
- Finally, the
projectfunction selects specific columns to display in the output: the application's name (AppName), its unique identifier (OAuthAppId), the service principal ID (ServicePrincipalId), the time it was added (AddedOnTime), the publisher's name (PublisherName), and the tenant ID of the application's owner (AppOwnerTenantId).
- Finally, the
Overall, the queries are intended to help security teams regularly review and monitor external applications with high privileges to mitigate potential security risks.
Details

Bert-Jan Pals
Released: April 14, 2025
Tables
Keywords
Operators